Closed paquin-jrm closed 1 year ago
The server logs alert unknown ca
when you connect via mosquitto_sub
. You will likely have to specify the CA file
$ mosquitto_sub -h ..... --cafile /etc/mosquitto/ca_certificates/mosquitto-certificate-authority.crt
also I'm getting dizzy with the number of TLS-related certificate files and keys; I think you're duplicating a lot of the configuration. :-)
Thanks jpmens. I amended the sub command but I'm still getting a TLS error. This is what I get from the log:
1642010249: mosquitto version 2.0.9 running
1642010547: Client connection from 125.64.94.221 failed: error:1417D09F:SSL routines:tls_process_client_hello:length mismatch.
1642010549: New connection from 125.64.94.221:47808 on port 8883.
1642010549: Client <unknown> disconnected due to protocol error.
1642010550: New connection from 125.64.94.221:48046 on port 8883.
1642010550: OpenSSL Error[0]: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate
1642010550: Client <unknown> disconnected: Protocol error.
1642010550: New connection from 125.64.94.221:48128 on port 8883.
1642010552: Client <unknown> closed its connection.
1642010553: New connection from 125.64.94.221:48302 on port 8883.
1642010553: Client <unknown> disconnected: Protocol error.
1642010554: New connection from 125.64.94.221:48512 on port 8883.
1642010555: Client <unknown> disconnected: Protocol error.
1642010555: New connection from 125.64.94.221:48758 on port 8883.
1642010555: Client <unknown> disconnected: Protocol error.
1642010556: New connection from 125.64.94.221:49200 on port 8883.
1642010556: Client <unknown> disconnected: Protocol error.
1642010556: New connection from 125.64.94.221:49278 on port 8883.
1642010557: Client <unknown> disconnected: Protocol error.
1642010558: Client connection from 125.64.94.221 failed: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol.
1642010559: New connection from 125.64.94.221:49564 on port 8883.
1642010559: Client <unknown> disconnected: Protocol error.
1642010559: New connection from 125.64.94.221:49638 on port 8883.
1642010560: Client <unknown> disconnected: Protocol error.
1642010560: Client connection from 125.64.94.221 failed: error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher.
1642010562: Client connection from 125.64.94.221 failed: error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share.
1642010691: mosquitto version 2.0.9 terminating
1642010691: Saving in-memory database to /var/lib/mosquitto//mosquitto.db.
And from systemctl:
user@pi:/var/log/mosquitto $ sudo systemctl status mosquitto
● mosquitto.service - Mosquitto MQTT Broker
Loaded: loaded (/lib/systemd/system/mosquitto.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Mon 2022-01-10 03:38:50 GMT; 2 days ago
Docs: man:mosquitto.conf(5)
man:mosquitto(8)
Process: 28603 ExecStartPre=/bin/mkdir -m 740 -p /var/log/mosquitto (code=exited, status=0/SUCCESS)
Process: 28604 ExecStartPre=/bin/chown mosquitto /var/log/mosquitto (code=exited, status=0/SUCCESS)
Process: 28605 ExecStartPre=/bin/mkdir -m 740 -p /var/run/mosquitto (code=exited, status=0/SUCCESS)
Process: 28606 ExecStartPre=/bin/chown mosquitto: /var/run/mosquitto (code=exited, status=0/SUCCESS)
Process: 28607 ExecStart=/usr/sbin/mosquitto -c /etc/mosquitto/mosquitto.conf (code=exited, status=1/FAILURE)
Main PID: 28607 (code=exited, status=1/FAILURE)
Jan 10 03:38:50 owntracks systemd[1]: mosquitto.service: Service RestartSec=100ms expired, scheduling restart.
Jan 10 03:38:50 owntracks systemd[1]: mosquitto.service: Scheduled restart job, restart counter is at 5.
Jan 10 03:38:50 owntracks systemd[1]: Stopped Mosquitto MQTT Broker.
Jan 10 03:38:50 owntracks systemd[1]: mosquitto.service: Start request repeated too quickly.
Jan 10 03:38:50 owntracks systemd[1]: mosquitto.service: Failed with result 'exit-code'.
Jan 10 03:38:50 owntracks systemd[1]: Failed to start Mosquitto MQTT Broker.
user@pi:/var/log/mosquitto $
Clearly I think you're right that I've got something wrong with my crt/key/csr combination
I followed the steps outlined in https://forums.raspberrypi.com/viewtopic.php?t=287326 because the ownTracks booklet info was a little sparse on the TLS setup details.
Two things I find confusing here:
encryption.conf
? You're already defining the TLS settings for mosquitto in mosquitto.conf
, so it's not clear what that other file is doing. I'd just delete it and see if that helps.mosquitto_sub
thinks it's connecting to something listening on port 8883. Is the broker running?I agree with what @growse says (his 1. point is what I meant with I'm getting dizzy with the number of TLS-related certificate files and keys :-). Please make sure you are specifying certificates and keys once in your configuration only; I've no idea how Mosquitto (or any other bit of kit which uses OpenSSL) will react to being configured with duplicates.
Your mosquitto.log
is showing sslv3 alert bad certificate
, which is worrysome, and it indeed looks from what you've shown us that the broker actually is running even though systemd says it isn't.
I'd like to propose you avoid using systemd for a moment and launch your broker manually at the console:
$ sudo systemctl stop mosquitto
$ ps ax|grep mosquitto
(if you see any, kill them off)
$ sudo /usr/sbin/mosquitto -c /etc/mosquitto/mosquitto.conf -v
Option -v
will print out verbose information on your console. Ensure you see nothing that looks like an error or warning. If so, hit CTL-C and re-edit config and restart mosquitto like we've just done.
On a second terminal, try your mosquitto_sub
.
Sorry for the late reply. Following your advice, here's what I have now.
Starting the broker and confirming it's the only one running:
user@pi:~ $ sudo /usr/sbin/mosquitto -c /etc/mosquitto/mosquitto.conf -v
user@pi:/var/log/mosquitto $ ps ax | grep mosquitto
4771 pts/1 S+ 0:00 sudo /usr/sbin/mosquitto -c /etc/mosquitto/mosquitto.conf -v
4772 pts/1 S+ 0:00 /usr/sbin/mosquitto -c /etc/mosquitto/mosquitto.conf -v
4876 pts/2 R+ 0:00 grep --color=auto mosquitto
user@pi:/var/log/mosquitto $
Launching the sub from another terminal, a TLS error occurs:
user@pi:~ $ mosquitto_sub -h 10.0.0.6 -p 8883 -v -t 'channel/#' -u user -P password
Error: A TLS error occurred.
user@pi:~ $
Checking the log:
user@pi:/var/log/mosquitto $ sudo less mosquitto.log
...
1643165388: mosquitto version 2.0.12 starting
1643165388: Config loaded from /etc/mosquitto/mosquitto.conf.
1643165388: Opening ipv4 listen socket on port 8883.
1643165388: Opening ipv6 listen socket on port 8883.
1643165388: mosquitto version 2.0.12 running
1643165437: New connection from 10.0.0.6:60402 on port 8883.
1643165437: OpenSSL Error[0]: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
1643165437: Client <unknown> disconnected: Protocol error.
Looking at systemctl:
user@pi:/var/log/mosquitto $ sudo systemctl status mosquitto
● mosquitto.service - Mosquitto MQTT Broker
Loaded: loaded (/lib/systemd/system/mosquitto.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Mon 2022-01-10 03:38:50 GMT; 2 weeks 1 days ago
Docs: man:mosquitto.conf(5)
man:mosquitto(8)
Process: 28603 ExecStartPre=/bin/mkdir -m 740 -p /var/log/mosquitto (code=exited, status=0/SUCCESS)
Process: 28604 ExecStartPre=/bin/chown mosquitto /var/log/mosquitto (code=exited, status=0/SUCCESS)
Process: 28605 ExecStartPre=/bin/mkdir -m 740 -p /var/run/mosquitto (code=exited, status=0/SUCCESS)
Process: 28606 ExecStartPre=/bin/chown mosquitto: /var/run/mosquitto (code=exited, status=0/SUCCESS)
Process: 28607 ExecStart=/usr/sbin/mosquitto -c /etc/mosquitto/mosquitto.conf (code=exited, status=1/FAILURE)
Main PID: 28607 (code=exited, status=1/FAILURE)
Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.
user@pi:/var/log/mosquitto $
I confirm I have a TLS statement in mosquitto.conf:
user@pi:/var/log/mosquitto $ sudo grep -i tls /etc/mosquitto/mosquitto.conf
tls_version tlsv1.2
user@pi:/var/log/mosquitto $
However, looking at this issue, I'm beginning to think that in creating my certificate, the required .pem file was never generated and I think I'm not offering the right file in .conf:
user@pi:/etc/mosquitto/ca_certificates $ locate *.pem | grep mosquitto
/home/mosquitto/mosquitto-2.0.9/test/ssl/crl-empty.pem
/home/mosquitto/mosquitto-2.0.9/test/ssl/crl.pem
user@pi:/etc/mosquitto/ca_certificates $
user@pi:/etc/mosquitto/ca_certificates $ sudo less /etc/mosquitto/mosquitto.conf | grep cafile
cafile /etc/mosquitto/ca_certificates/mosquitto-certificate-authority.crt
user@pi:/etc/mosquitto/ca_certificates $
Any thoughts?
You can ignore systemd/systemctl while running mosquitto directly in the shell.
Do your certificate files actually contain certificates? You can look at the .crt or .pem files with less
; they ought to contain base64-encoded data between --- BEGIN
and --- END CERTIFICATE ---
lines.
You might also remind us how you created the SSL key/certificates.
If you are using mosquitto_sub
without the --cafile
option, you cannot use your self-created certificates.
1643165437: OpenSSL Error[0]: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
Try using mosquitto_sub ... --cafile /etc/mosquitto/ca_certificates/mosquitto-certificate-authority.crt
Starting the broker:
user@pi:~ $ sudo /usr/sbin/mosquitto -c /etc/mosquitto/mosquitto.conf -v
Starting the client:
user@pi:~ $ mosquitto_sub -h 10.0.0.6 -p 8883 -v -t 'channel/#' -u user -P password --cafile /etc/mosquitto/ca_certificates/mosquitto-certificate-authority.crt
Error: A TLS error occurred.
user@pi:~ $
From the log:
user@pi:/var/log/mosquitto $ sudo less mosquitto.log
...
1643205495: mosquitto version 2.0.12 starting
1643205495: Config loaded from /etc/mosquitto/mosquitto.conf.
1643205495: Opening ipv4 listen socket on port 8883.
1643205495: Opening ipv6 listen socket on port 8883.
1643205495: mosquitto version 2.0.12 running
1643205600: New connection from 10.0.0.6:34232 on port 8883.
1643205600: OpenSSL Error[0]: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
1643205600: Client <unknown> disconnected: Protocol error.
How the certificate/key were created:
https://forums.raspberrypi.com/viewtopic.php?t=287326 (thanks and regards to the site participants)
TLS Preparation - a Certificate Authority
The first step in creating self-signed certificates is to create a Certificate Authority and a matching key. The Certificate Authority will be used to sign any subsequent keys which will actually be used by the broker or clients. Substitute 'FI' with the correct country code for your installation. Other fields can be added as desired. However, the CN field must contain a Fully Qualified Domain Name or at least a fixed, static IP address.
cd /etc/mosquitto/ca_certificates/
sudo openssl req \
-new \
-x509 \
-days 400 \
-extensions v3_ca \
-subj '/C=FI/L=Some City/CN=192.168.1.140' \
-keyout mosquitto-certificate-authority.key \
-out mosquitto-certificate-authority.crt
The certificate authority will be named 'mosquitto-certificate-authority.crt'
TLS with Authenticated MQTT - the broker
The server needs a key and then this key must be signed by the certificate authority to be accepted in TLS connections. Write permissions are needed in the appropriate directories when making the certificates.
cd /etc/mosquitto/certs/
openssl genrsa \
-out mqtt-server.key \
2048
Now that there is a key for the broker, a signing request is made. Be sure that CN points to the address where the broker is listening from, either a FQDN or an IP address.
openssl req \
-new \
-out mqtt-server.csr \
-key mqtt-server.key \
-subj '/C=FI/L=Some City/CN=192.168.1.140'
Once the Certificate Signing Request has been prepared, the key can be signed using the Certificate Authority.
openssl x509 \
-req \
-days 367 \
-CA ../ca_certificates/mosquitto-certificate-authority.crt \
-CAkey ../ca_certificates/mosquitto-certificate-authority.key \
-CAcreateserial \
-in mqtt-server.csr \
-out mqtt-server.crt \
-extfile <(printf "subjectAltName=IP:192.168.1.140")
Now that the broker has a signed key, known as a certificate, the following configuration file should be added to make the MQTT broker use them for encryption.
cat << | sudo tee /etc/mosquitto/conf.d/encryption.conf
port 8883
cafile /etc/mosquitto/ca_certificates/mosquitto-certificate-authority.crt
keyfile /etc/mosquitto/certs/mqtt-server.key
certfile /etc/mosquitto/certs/mqtt-server.crt
tls_version tlsv1.2
EOC
The restart the broker.
sudo systemctl restart mosquitto
With that the listening port will change from 1883 to 8883, as the former is for unprotected connections and the latter is for connections encrypted with TLS. Now check the logs that 'tail' is showing to see that the broker has started correctly.
sudo netstat -lnpt
sudo systemctl status mosquitto
sudo journalctl -u mosquitto
The 'netstat' utility will show that it is listening on port 8883 and the others will show the status of the systemd service. There should be no errors or warnings.
TLS with Authenticated MQTT - the clients
This step should be repeated for each client. The server key, /etc/mosquitto/certs/64bit06-server.crt above, needs to be on each client system and readable by the client. Then each client needs its own key and then that key must be signed by the certificate authority to be accepted in TLS connections.
cd /etc/mosquitto/certs/
openssl genrsa \
-out listener03-client.key \
2048
Now that there is a key for this client, a signing request is made for it. Be sure that CN points to the address where this particular client is listening from, either a FQDN or an IP address. Here the subscription client is on the same system as the broker and thus using the same address. However, it can be placed on another machine now, even one somewhere across the Internet.
openssl req \
-new \
-out listener03-client.csr \
-key listener03-client.key \
-subj '/C=FI/L=Some City/CN=192.168.1.175'
Once the Certificate Signing Request has been prepared, the key can be signed using the Certificate Authority.
openssl x509 \
-req \
-days 367 \
-CA ../ca_certificates/mosquitto-certificate-authority.crt \
-CAkey ../ca_certificates/mosquitto-certificate-authority.key \
-CAcreateserial \
-in listener03-client.csr \
-out listener03-client.crt \
-extfile <(printf "subjectAltName=IP:192.168.1.175")
The addition of a 'subjectAltName' field is necessary when signing the key in order to properly identify the system if it is only using an IP address and not a FQDN. Obviously, if used, it must match the system the client is on. Here the client will be at the 192.168.1.175 address on the LAN.
Now that the certificates are in place, the subscription client can be invoked using them while pointed at the broker. The broker will be at 192.168.1.140 on the same LAN.
mosquitto_sub -v -h 192.168.1.140 \
-u probes -P 'abcdefg' \
--key /etc/mosquitto/certs/listener03-client.key \
--cert /etc/mosquitto/certs/listener03-client.crt \
--cafile /etc/mosquitto/certs/mqtt-server.crt \
-t 'temperatures' \
-p 8883 \
--tls-version tlsv1.2 -i listener03
Then for a publication client, make an additional key, certificate signing request, and a certificate using new names, pub05-* for example. Then publish to the broker:
mosquitto_pub -h 192.168.1.140 \
-u probes -P 'abcdefg' \
--key /etc/mosquitto/certs/pub05-client.key \
--cert /etc/mosquitto/certs/pub05-client.crt \
--cafile /etc/mosquitto/certs/mqtt-server.crt \
-t 'temperatures' \
-p 8883 \
--tls-version tlsv1.2 -i pub05 \
-m 'Hello, World!'
As usual, the client's identifier must be unique to that client. Also, note that the clients' certificate authority needs to point to the broker's certificate, not the broker's certificate authority.
I'd like to propose you simplify all this a bit.
./mkcert*
.$ mkdir /tmp/mosquitto
$ export CAROOT=/tmp/mosquitto
$ ./mkcert example.com 10.0.0.6 127.0.0.1 ::1
$ ls -1 /tmp/mosquitto
rootCA-key.pem
rootCA.pem
$ ls -1 example*
example.com+3-key.pem
example.com+3.pem
You should rename/copy the resulting files to a directory of your choice outside of /tmp/
:
rootCA.pem
is your CA certificateexample.com+3.pem
is the server certificateexample.com+3-key.pem
(note the word "key" in the filename) is the server keySo, in terms of Mosquitto, its configuration would contain appropriate paths to
cafile rootCA.pem
certfile example.com+3.pem
keyfile example.com+3-key.pem
and when running on the command line, you would use
$ mosquitto --cafile rootCA.pem ...
@paquin-jrm
TLS with Authenticated MQTT - the clients
What's your reasoning for using client certs? They're not usually necessary, and significantly complicate things.
@paquin-jrm have you been succcessful?
I've had to put the project aside for a while. I'd hope to pick it up again this week.
Get Outlook for Androidhttps://aka.ms/AAb9ysg
From: Jan-Piet Mens @.> Sent: Sunday, May 1, 2022 3:06:23 PM To: owntracks/talk @.> Cc: paquin-jrm @.>; Mention @.> Subject: Re: [owntracks/talk] TLS failure (Issue #132)
@paquin-jrmhttps://github.com/paquin-jrm have you been succcessful?
— Reply to this email directly, view it on GitHubhttps://github.com/owntracks/talk/issues/132#issuecomment-1114311186, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AEZZMMGII5VAGCKIZ66RWUDVH3I27ANCNFSM5LZQFC7Q. You are receiving this because you were mentioned.Message ID: @.***>
Closing as addressed, but feel free to ask for assistance if required.
Getting an error trying to get TLS to work from my raspberry pi. Here's some details:
My configuration file:
The encryption.conf file:
Launching the broker gives this:
Trying to connect on another terminal:
What systemctl has to say:
What the application log shows:
The contents of /etc/mosquitto/ca_certificates:
The contents of /etc/mosquitto/certs:
I more than likely missed a step or executed one wrong but if anyone could point me in the right direction, I'd appreciate it greatly.
Cheers